[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Tue Apr 21 13:05:38 UTC 2020
The branch OpenSSL_1_1_1-stable has been updated
via 49d391d03c11352eeadec7df39c48d1c83fb164e (commit)
via e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72 (commit)
via a1ec85c169a8e53e52ab35914ad47b5baea84070 (commit)
via eb563247aef3e83dda7679c43f9649270462e5b1 (commit)
via 64eef86733fd40a5b7737dc586754c3fa3414b0c (commit)
via 23424be835dc10f0942c91952142d75345ef9de1 (commit)
from bb19162558017d530a6c26d6eb972ba15d73ba81 (commit)
- Log -----------------------------------------------------------------
commit 49d391d03c11352eeadec7df39c48d1c83fb164e
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 21 13:24:21 2020 +0100
Prepare for 1.1.1h-dev
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 21 13:22:39 2020 +0100
Prepare for 1.1.1g release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit a1ec85c169a8e53e52ab35914ad47b5baea84070
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 21 10:49:12 2020 +0100
Update copyright year
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit eb563247aef3e83dda7679c43f9649270462e5b1
Author: Benjamin Kaduk <kaduk at mit.edu>
Date: Fri Apr 10 12:27:28 2020 -0700
Fix NULL dereference in SSL_check_chain() for TLS 1.3
In the tls1_check_sig_alg() helper function, we loop through the list of
"signature_algorithms_cert" values received from the client and attempt
to look up each one in turn in our internal table that maps wire
codepoint to string-form name, digest and/or signature NID, etc., in
order to compare the signature scheme from the peer's list against what
is used to sign the certificates in the certificate chain we're
checking. Unfortunately, when the peer sends a value that we don't
support, the lookup returns NULL, but we unconditionally dereference the
lookup result for the comparison, leading to an application crash
triggerable by an unauthenticated client.
Since we will not be able to say anything about algorithms we don't
recognize, treat NULL return from lookup as "does not match".
We currently only apply the "signature_algorithm_cert" checks on TLS 1.3
connections, so previous TLS versions are unaffected. SSL_check_chain()
is not called directly from libssl, but may be used by the application
inside a callback (e.g., client_hello or cert callback) to verify that a
candidate certificate chain will be acceptable to the client.
CVE-2020-1967
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 64eef86733fd40a5b7737dc586754c3fa3414b0c
Author: Benjamin Kaduk <kaduk at mit.edu>
Date: Fri Apr 10 12:27:28 2020 -0700
Add test for CVE-2020-1967
Add to test_sslsigalgs a TLSProxy test that injects a
"signature_algorithms_cert" extension that contains an unallocated
codepoint.
The test currently fails, since s_server segfaults instead of
ignoring the unrecognized value.
Since "signature_algorithms" and "signature_algorithms_cert" are very
similar, also add the analogous test for "signature_algorithms".
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 23424be835dc10f0942c91952142d75345ef9de1
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 21 10:33:43 2020 +0100
Update CHANGES and NEWS for release of 1.1.1g
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 16 +++++++++-
NEWS | 6 +++-
README | 2 +-
apps/dhparam.c | 2 +-
apps/dsa.c | 2 +-
apps/dsaparam.c | 2 +-
apps/ec.c | 2 +-
apps/ecparam.c | 2 +-
apps/engine.c | 2 +-
apps/gendsa.c | 2 +-
apps/genrsa.c | 2 +-
apps/ocsp.c | 2 +-
apps/pkcs12.c | 2 +-
apps/rsa.c | 2 +-
apps/rsautl.c | 2 +-
apps/s_time.c | 2 +-
apps/srp.c | 2 +-
apps/ts.c | 2 +-
crypto/aes/aes_core.c | 2 +-
crypto/aes/aes_local.h | 2 +-
crypto/asn1/asn1_lib.c | 2 +-
crypto/ec/ec_asn1.c | 2 +-
crypto/ec/ec_lib.c | 2 +-
crypto/ec/ec_mult.c | 2 +-
crypto/ec/ecp_smpl.c | 2 +-
crypto/rand/drbg_ctr.c | 2 +-
crypto/threads_win.c | 2 +-
doc/man1/s_time.pod | 2 +-
doc/man3/EVP_aes.pod | 2 +-
doc/man3/RAND_set_rand_method.pod | 2 +-
doc/man3/X509_check_purpose.pod | 2 +-
include/openssl/opensslv.h | 4 +--
ssl/t1_lib.c | 2 +-
test/recipes/25-test_verify.t | 2 +-
test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++--
test/sm2_internal_test.c | 2 +-
36 files changed, 118 insertions(+), 38 deletions(-)
diff --git a/CHANGES b/CHANGES
index 6239fa4139..228408d9f0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,21 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.1f and 1.1.1g [xx XXX xxxx]
+ Changes between 1.1.1g and 1.1.1h [xx XXX xxxx]
+
+ *)
+
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+ *) Fixed segmentation fault in SSL_check_chain()
+ Server or client applications that call the SSL_check_chain() function
+ during or after a TLS 1.3 handshake may crash due to a NULL pointer
+ dereference as a result of incorrect handling of the
+ "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+ or unrecognised signature algorithm is received from the peer. This could
+ be exploited by a malicious peer in a Denial of Service attack.
+ (CVE-2020-1967)
+ [Benjamin Kaduk]
*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
diff --git a/NEWS b/NEWS
index 79202c3af2..fc8ff7371a 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [under development]
+ Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [under development]
o
+ Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
+
+ o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
+
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
o Revert the unexpected EOF reporting via SSL_ERROR_SSL
diff --git a/README b/README
index 2fa731e0a9..c7bf50c520 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1g-dev
+ OpenSSL 1.1.1h-dev
Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 11fc3f6bd2..98c73214b5 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/dsa.c b/apps/dsa.c
index fb59e1b4c0..c7884df166 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index ba00bee02b..75589ac6bc 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/ec.c b/apps/ec.c
index f48ffbe1b3..0c8ed750cc 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 65ff660964..58fbeb95c9 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
diff --git a/apps/engine.c b/apps/engine.c
index a00161ed29..746cace354 100644
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 74540ffde5..ec57c92a94 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/genrsa.c b/apps/genrsa.c
index eff38b35ed..e34a2f7ab9 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/ocsp.c b/apps/ocsp.c
index eb98c25310..27ec94fa6b 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 5b33586d2f..8c5d963b8c 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/rsa.c b/apps/rsa.c
index 7a8502288b..aeda917cc7 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/rsautl.c b/apps/rsautl.c
index a24a7e5a79..0c0fa8eba3 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/s_time.c b/apps/s_time.c
index d52f525eac..628e65b26e 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/apps/srp.c b/apps/srp.c
index 3ffe68fcad..6c58173879 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
diff --git a/apps/ts.c b/apps/ts.c
index 87e31f2d49..66a0c810e0 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c
index d3670533e9..687dd5829b 100644
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/crypto/aes/aes_local.h b/crypto/aes/aes_local.h
index 626b702ed5..a9c0059e52 100644
--- a/crypto/aes/aes_local.h
+++ b/crypto/aes/aes_local.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 5cd0e16b52..366afc5f6c 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 831b74ce6c..006f9a5dea 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 22b00e203d..6832383cad 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index d2e4773270..9a1e3974ed 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
index 6903db58ff..b3110ec89d 100644
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index af201971dd..0f0ad1b37b 100644
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/crypto/threads_win.c b/crypto/threads_win.c
index 0e6d77103b..83dccb84fb 100644
--- a/crypto/threads_win.c
+++ b/crypto/threads_win.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/s_time.pod b/doc/man1/s_time.pod
index 85e9b7f627..e1a3bef41c 100644
--- a/doc/man1/s_time.pod
+++ b/doc/man1/s_time.pod
@@ -202,7 +202,7 @@ L<s_client(1)>, L<s_server(1)>, L<ciphers(1)>
=head1 COPYRIGHT
-Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/EVP_aes.pod b/doc/man3/EVP_aes.pod
index 7db48a427f..6377fc9a21 100644
--- a/doc/man3/EVP_aes.pod
+++ b/doc/man3/EVP_aes.pod
@@ -183,7 +183,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/RAND_set_rand_method.pod b/doc/man3/RAND_set_rand_method.pod
index b89fab43c9..1e9360d220 100644
--- a/doc/man3/RAND_set_rand_method.pod
+++ b/doc/man3/RAND_set_rand_method.pod
@@ -60,7 +60,7 @@ L<RAND(7)>
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod
index e44a9ea15b..bc38138743 100644
--- a/doc/man3/X509_check_purpose.pod
+++ b/doc/man3/X509_check_purpose.pod
@@ -66,7 +66,7 @@ For CA checks the below integers could be returned with the following meanings:
=head1 COPYRIGHT
-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this
file except in compliance with the License. You can obtain a copy in the file
LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>.
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 3e4c167af1..e6b5825b81 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10101070L
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g-dev xx XXX xxxx"
+# define OPENSSL_VERSION_NUMBER 0x10101080L
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h-dev xx XXX xxxx"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a254fd5a05..76b4baa388 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2130,7 +2130,7 @@ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
- if (sig_nid == sigalg->sigandhash)
+ if (sigalg != NULL && sig_nid == sigalg->sigandhash)
return 1;
}
return 0;
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 0e0f5dca21..cf7842cdfd 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index b3339ff59f..9ea9d05219 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -44,7 +44,9 @@ use constant {
COMPAT_SIGALGS => 6,
SIGALGS_CERT_ALL => 7,
SIGALGS_CERT_PKCS => 8,
- SIGALGS_CERT_INVALID => 9
+ SIGALGS_CERT_INVALID => 9,
+ UNRECOGNIZED_SIGALGS_CERT => 10,
+ UNRECOGNIZED_SIGALG => 11
};
#Note: Throughout this test we override the default ciphersuites where TLSv1.2
@@ -53,7 +55,7 @@ use constant {
#Test 1: Default sig algs should succeed
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 24;
+plan tests => 26;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
@@ -282,6 +284,39 @@ SKIP: {
ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
}
+SKIP: {
+ skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
+ #Test 25: Send an unrecognized signature_algorithms_cert
+ # We should be able to skip over the unrecognized value and use a
+ # valid one that appears later in the list.
+ $proxy->clear();
+ $proxy->filter(\&inject_unrecognized_sigalg);
+ $proxy->clientflags("-tls1_3");
+ # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is
+ # needed to trigger (e.g.) CVE-2020-1967
+ $proxy->serverflags("" .
+ " -xcert " . srctop_file("test", "certs", "servercert.pem") .
+ " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+ " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+ $testtype = UNRECOGNIZED_SIGALGS_CERT;
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
+
+ #Test 26: Send an unrecognized signature_algorithms
+ # We should be able to skip over the unrecognized value and use a
+ # valid one that appears later in the list.
+ $proxy->clear();
+ $proxy->filter(\&inject_unrecognized_sigalg);
+ $proxy->clientflags("-tls1_3");
+ $proxy->serverflags("" .
+ " -xcert " . srctop_file("test", "certs", "servercert.pem") .
+ " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+ " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+ $testtype = UNRECOGNIZED_SIGALG;
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
+}
+
sub sigalgs_filter
@@ -427,3 +462,30 @@ sub modify_cert_verify_sigalg
}
}
}
+
+sub inject_unrecognized_sigalg
+{
+ my $proxy = shift;
+ my $type;
+
+ # We're only interested in the initial ClientHello
+ if ($proxy->flight != 0) {
+ return;
+ }
+ if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
+ $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
+ } elsif ($testtype == UNRECOGNIZED_SIGALG) {
+ $type = TLSProxy::Message::EXT_SIG_ALGS;
+ } else {
+ return;
+ }
+
+ my $ext = pack "C8",
+ 0x00, 0x06, #Extension length
+ 0xfe, 0x18, #private use
+ 0x04, 0x01, #rsa_pkcs1_sha256
+ 0x08, 0x04; #rsa_pss_rsae_sha256;
+ my $message = ${$proxy->message_list}[0];
+ $message->set_extension($type, $ext);
+ $message->repack;
+}
diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
index f7e4e38d03..2bb73947ff 100644
--- a/test/sm2_internal_test.c
+++ b/test/sm2_internal_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
More information about the openssl-commits
mailing list